<?php
include_once( "common.php" );

$_POST["user"] = addslashes( $_POST["user"] );
$_POST["password"] = md5( $_POST["password"] );

$result = db_query( "SELECT * FROM User WHERE User.name = '{$_POST["user"]}' AND User.password = '{$_POST["password"]}'" );
if ( db_num_rows( $result ) == 1 )
{
    $row = db_fetch_object( $result );
    if ( $row->locked == TRUE )
    {
        outputAlert( "Account locked", "Your account has been locked." );
    }

    session_start();
    $_SESSION["user"] = $row->id;

    # Update the last login time
    db_query( "UPDATE User SET login = NOW() WHERE User.id = {$_SESSION["user"]}" ) or outputAlert( "Database error", "There was a database error and your login time was not updated." );
    
    # Did the user want to see a bug?
    if ( is_numeric( $_POST["id"] ) )
        header( "Location: viewBug.php?id={$_POST["id"]}" );
    else
        header( "Location: main.php" );
}
else
{
    session_start();
    unset( $_SESSION["user"] );
    session_destroy();
    outputAlert( "Invalid credentials", "You entered invalid credentials." );
}
?>
